malquery
MalQuery examples
The examples in this folder focus on leveraging CrowdStrike's MalQuery API to perform threat hunting operations.
Search and Download samples from MalQuery
Downloads a specified number of examples from MalQuery that match the search term and type you specify. Results will be stored in zip archive format with the password of infected.
[!WARNING] Samples downloaded from MalQuery have been confirmed as malware. Handle with extreme caution.
Running the program
In order to run this demonstration, you will need access to CrowdStrike API keys with the following scopes:
MalQuery
READ, WRITE
Execution syntax
This example accepts the following input parameters.
-t, --type
Type of pattern for the query. Select from ASCII, HEX, or WIDE. Defaults to ASCII.
-v, --value
The value for malquery to search.
-f, --file
Filename to save the downloaded samples to. File will be in zip format.
-e, --examples
Number of examples to download. Integer only.
-k, --key
Your CrowdStrike Falcon API Client ID
-s, --secret
Your CrowdStrike Falcon API Client Secret
Downloads 3 trickbot samples from MalQuery
python3 malqueryinator.py -v trickbot -f samples.zip -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -e 3Command-line help
Command-line help is available using the -h or --help parameters.
% python3 malqueryinator.py -h
usage: malquery.py [-h] [-t TYPE] -v VALUE -f FILE [-e EXAMPLES] -k KEY -s SECRET
Malquerinator
optional arguments:
-h, --help show this help message and exit
-t TYPE, --type TYPE Type of pattern for the malware query: ascii, hex, or wide
-v VALUE, --value VALUE
Value for malware query of type determined by --t/--type arg
-f FILE, --file FILE Name of file to write to
-e EXAMPLES, --examples EXAMPLES
Number of examples to download
-k KEY, --key KEY Falcon API Client ID
-s SECRET, --secret SECRET
Falcon API Client secretExample source code
The source code for this example can be found here.
Last updated
Was this helpful?